Fritz Borgstedt wrote: > The webinterface is for admins, what are the files, a server admin > should not have browse access to?
This is a common flaw in unchecked web applications, exploiting cross-site scripting or directory traversals. To illustrate a scenario: The service/daemon runs in a context that may not have the same security credentials as the person administrating ASSP. Many organization have Email administrators that are separate from Network or System or even Desktop administrators. By exploiting the flaw, the user could gain access to a part of the file system or even resources from another computer that they would not otherwise have access to. Examples: http://[host]:55555/get?file=c:\dir\subdir\file.ext http://[host]:55555/get?file=\\server\share\dir\file.ext The resources would be accessed and presented for view/download by the ASSP service/daemon, regardless of the privileges of the user that is logged in. You will find that *MANY* people are running ASSP in an elevated security context. My original (descriptive) posting to the Full-Disclosure list can be read here: http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/048853.html ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
